I am new to Splunk and I am still trying to figure this out. Do I have to have a SA account to get this to work for me?

You shouldn't need an SA account. I modified it because I was getting erros because of the lase eval statement to:

index=_internal source=*license_usage.log type="RolloverSummary" earliest=@d
| stats sum(b) AS used max(stacksz) AS quota by _time
| eval usedGB=round(used/1024/1024/1024,3)
| eval quotaGB=round(quota/1024/1024/1024,3)
| table _time, usedGB, quotaGB
| eval percentage=round(usedGB / totalGB, 1)*100
| eval usage = usedGB . " ("%)"
| fields _time, usedGB, quotaGB, usage
| where 'usedGB' > 17

From Splunk, enter the above modified search from tiagofbmm's, and adjust the 17 at the end to whatever usage you want it to alert on, and run it. Then click on Save As in the right hand corner of the New Search window and save it as an alert. Set up your alert preferences and save, and it should trigger whenever you set.

I think I got it. I see where I went wrong. I have it set for Mon at 6 a.m. for one alert. I sent another one for later on today. We will see how it goes. Thank you for your help.

No problem, let us know if you get it working or not.

I thought I would expect to get some sort of email of an alert. unfortunately I am not getting anything.

I set up 4 different alerts with one triggers.

Title Actions Owner App Sharing Status
Disabled user accounts
Open in Search Edit user search Private Enabled
Test Alert 17gb
Open in Search Edit user search Private Enabled
Usage Alert 125gb
Open in Search Edit user search Private Enabled
index=windows "EventCode=4634"

Is there something in the Alert section I was suppose to click on in order for the alerts to work?

I went and entered it in the search for far I am getting unbalanced quotes. I figuring out where I went wrong.